I am trying to check the Infrastructure encryption status via powershell. Here is the screenshot Encryption
I referenced this doc("https://learn.microsoft.com/en-us/azure/storage/common/infrastructure-encryption-enable?tabs=portal") and tried the below script but didn't get any result.
$account = Get-AzStorageAccount -ResourceGroupName `
-StorageAccountName $account.Encryption.RequireInfrastructureEncryption
Is there a way to see if the Infrastructure encryption is enabled or disabled?
Thank you
From that docs, there are two kinds of encryption levels for Azure storage account, at the service level and at the infrastructure level. By default, Azure Storage automatically encrypts all data in a storage account at the service level using 256-bit AES encryption, customers who require higher levels of assurance that their data is secure can also enable 256-bit AES encryption at the Azure Storage infrastructure level.
To doubly encrypt your data, you must first create a storage account that is configured for infrastructure encryption.
In this case, if you have not enabled the infrastructure encryption, you could see the "requireInfrastructureEncryption": null with Azure CLI.
az storage account show --name <storage-account> --resource-group <resource-group>
To Verify that infrastructure encryption is enabled, you could Register to use infrastructure encryption,
Register-AzProviderFeature -ProviderNamespace Microsoft.Storage `
-FeatureName AllowRequireInfraStructureEncryption
Create an account with infrastructure encryption enabled,
New-AzStorageAccount -ResourceGroupName <resource_group> `
-AccountName <storage-account> `
-Location <location> `
-SkuName "Standard_RAGRS" `
-Kind StorageV2 `
-RequireInfrastructureEncryption
Then you can Verify that infrastructure encryption is enabled with the PowerShell scripts.
$account = Get-AzStorageAccount -ResourceGroupName <resource-group> `
-StorageAccountName <storage-account>
$account.Encryption.RequireInfrastructureEncryption
Related
When I try to encrypt an Azure VM(Windows Server 2016) disk using a key in the key vault, I receive the below error. Can someone suggest what I am missing?
[{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "[2.2.0.45] Failed to enable Azure Disk Encryption on the VM with the following exception details:\n Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerFailedToSendEncryptionSettingsException: Unable to find additional details in disk encryption response\r\n at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.WireProtocol.WireProtocolMessage.SendEncryptionSettingsToHost() in C:\__w\1\s\src\BitLocker\BitlockerIaasVMExtension\WireProtocol\WireProtocolMessage.cs:line 210\r\n at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.SendEncryptionSettingsToHostV3(VmEncryptionSettings vmSettings) in C:\__w\1\s\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line
I tried to reproduce the same in my environment to encrypt the Azure VM Disks using PowerShell:
Make sure that Connect-AzAccount with contributor role or owner role to create resources and modify in resource group, and also check if drive is already encrypted with Bitlocker and Azure Disk Encryption, Kindly decrypt the drivers before ran the script.
PowerShell Script to encrypt Azure VM:
#Connect to Azure Account with Contributor role or Admin role.
Connect-AzAccount
Create a resource group:
New-AzResourceGroup -Name "myResourceGroup" -Location "EastUS"
Create a Key vault:
New-AzKeyvault -name thejaKVtest -ResourceGroupName myResourceGroup -Location EastUS -EnabledForDiskEncryption
#Store the value in Keyvault
$KeyVault = Get-AzKeyVault -VaultName thejaKVtest -ResourceGroupName MyResourceGroup
Encrypt Azure VM:
Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName <YourVM Name> -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId
Get Azure vm encryption status:
Get-AzVmDiskEncryptionStatus -VMName MyVm -ResourceGroupName MyResourceGroup
If still same error, kindly check the below settings in key vault , like below.
Azure Portal > Key Vault > Select your Key Vault > Access Configuration > Enable Azure Disk Encryption for volume encryption
Reference: Create and encrypt a Windows virtual machine in Azure with PowerShell
I am following this tutorial where it required to use an Azure Managed Identity assigned to an Azure Storage Account.
https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#about-customer-managed-keys
In the tutorial the step 1. is:
An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the storage account.
However I cannot find a way to see or assign a managed identity to an SA. It seems that SAs have no managed identities out of the box..
Any hints?
I don't think so that it's possible to view that in the portal but I am sure that powershell can help you. As far as i know that are two ways to check if your storage account has a Principal Id assigned. One way is to check in azure AD by typing Get-AzADServicePrincipal -DisplayName storageAccountName and another one is:
$stgName = "stgName"
$rgName = "rgName"
$stg = Get-AzStorageAccount -StorageAccountName $stgName -ResourceGroupName $rgName
$stg.identity
if you have managed identity assigned so you can see principal id. Otherwrise:
Set-AzStorageAccount -ResourceGroupName $rgName -AccountName $stgName -AssignIdentity
I am trying to automate the creation of certain azure resources via an Azure PowerShell script that is triggered from an Azure DevOps release pipeline. I want to create a function app, and automatically integrate reading right access to secrets in an already existing Key Vault. This Key Vault is in the same Azure subscription.
While I can create most resources following the documentation, there seems to be a lack of documentation regarding the creation of certain resources using Azure PowerShell (or I can't find it).
If I follow the sample from this link, I can accomplish it without a problem by using the UI in the Azure Portal, but I can't find any documentation on Microsoft Docs to do it using PowerShell.
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name $functionAppName `
-ResourceGroupName $emailFunctionRg `
-Location "$(AzureRegion)" `
-StorageAccount $storageName `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
$appId = Get-AzADServicePrincipal -DisplayName $functionAppName
Set-AzKeyVaultAccessPolicy -VaultName EmailSettings -ServicePrincipalName $appId -PermissionsToSecrets Get,List
Write-Host "Key Vault access granted!"
Running Set-AzKeyVaultAccessPolicy fails with "Insufficient privileges to complete the operation.". But I am not sure if this is the right path to follow, it was just a guess, based on the available functions in the documentation.
Any ideas?
Two potential issues to check out here:
your app creation assigns the result to $fnApp. perhaps $fnApp or as commented above, $fnApp.ApplicationId is what you should be using for the -ServicePrincipalName parameter on the access policy grant.
you don't have privileges to assign RBAC roles. Go to the Key Vault, choose Access Control, then click the Role Assignments tab and verify that your user appears in the list as an Administrator, User Access Administrator, or Owner.
Edit: With respect to the RBAC privilege, since this is running in Azure Powershell from Azure DevOps, you need to check the role assignment for the Service Connection's service principal - under Azure Active Directory in the Azure Portal, look up the principal used to create the service connection, and make sure THAT gets the correct Role on the key vault.
After a little of trial and error I just came to the conclusion I was not using the right parameter for the Set-AzKeyVaultAccessPolicy cmdlet.
The following script will work (if the service principle running it has the appropriate role, like WaitingForGuacamole mentioned in his/her answer):
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name <FnAppName> `
-ResourceGroupName <ResourceGroupName> `
-Location <AzureRegion> `
-StorageAccount <StorageAccount> `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
Set-AzKeyVaultAccessPolicy -VaultName <NameOfTheKeyVault> -ObjectId (Get-AzADServicePrincipal -DisplayName <FnAppName>).Id -PermissionsToSecrets <Get, List, etc...>
Write-Host "Key Vault access granted!"
I'm a bit of an Azure & Powershell newbie.
I'm trying to write PowerShell scripts to create an environment that can be published to from Azure DevOps.
As part of that, I'm creating a Service Bus with multiple topics. Each of the topics will have multiple Authorization Rules - one for publication and one for subscription.
I have the scripts for this working. However, I need to get the connection strings for these rules and save them to a key vault, to make them available to apps.
This is where I have become stuck.
This is similar to my existing code:
New-AzServiceBusTopic -ResourceGroupName myResourceGroup -Namespace myServiceBus -EnablePartitioning $false -Name myTopic
New-AzServiceBusAuthorizationRule `
-ResourceGroupName myResourceGroup `
-Namespace myServiceBus `
-Topic myTopic`
-Name myTopic.pub `
-Rights #("Send")
In the Azure Portal, I would click into the Service bus and Topic, select Shared Access Policies and click on the policy. It would show me the SAS Policy with the Primary Connection String.
Is there any way in PowerShell to get the Primary Connection String?
Thanks
If you have azure powershell Az.ServiceBus module installed, you can directly use this command: Get-AzServiceBusKey.
For example:
Get-AzServiceBusKey -ResourceGroup Default-ServiceBus-WestUS -Namespace SB-Example1 -Name AuthoRule1
I am trying to get Azure Storage's encryption status from command line or programatically but could not find any relevant cmdlet(https://learn.microsoft.com/en-us/powershell/module/azure.storage/get-azurestorageserviceproperty?view=azurermps-6.13.0).
I can check that manually from portal like this
is it avilable to check through any command line or we have to check only through portal ?
You could use the command below, make sure you have installed the Az module.
(Get-AzResource -ResourceGroupName <group-name> -ResourceType Microsoft.Storage/storageAccounts -Name <storageaccount-name>).Properties.encryption | ConvertTo-Json
If the Encryption type is Microsoft-managed keys, the keySource will be Microsoft.Storage.
If the Encryption type is Customer-managed keys, the keySource will be Microsoft.Keyvault, keyvaultproperties will include the properties of the keyvault key you configured.
You can make use of Get-AzStorageAccount PowerShell Cmdlet.
$props = Get-AzStorageAccount -ResourceGroupName "your-resource-group-name" -Name "storageaccount-name"
$keySource = $props.Encryption.KeySource
$keySource should tell you the encryption type used. In my case, it printed Microsoft.Storage